Why GitHub Is Mandating Two-Factor Authentication for All Contributors by End‑2023

GitHub, the code‑hosting platform used by tens of millions of developers worldwide, announced that all code contributors must enable two‑factor authentication (2FA) by the end of 2023, otherwise they will be unable to push code to repositories.

Two‑factor authentication adds an additional verification step beyond the password, enhancing account security.

GitHub says the move is part of a broader effort to protect the software ecosystem by raising account security.

According to GitHub’s statistics, only about 16.5% of active users and 6.44% of npm users have enabled any form of 2FA.

Beyond password‑based authentication, GitHub has already deprecated basic authentication for Git operations and its API, and now requires email and device verification in addition to username and password.

“2FA is a strong next line of defense,” GitHub stated.

Some users describe the decision as a major step toward increasing the complexity of account takeover.

Others worry about the impact on contributors who do not adopt 2FA, noting that GitHub will remove organization members and owners who lack 2FA, potentially causing access issues and support challenges.

Casey Bisson, head of product and developer relations at BluBracket, welcomed the move but questioned how effective 2FA is at protecting code.

He noted that even companies with robust 2FA, such as those recently targeted by the Lapsus$ group, still suffered source‑code leaks, exposing keys and passwords.